Enriching Data with Lookups (Part 1)

Many customers tell me that they see a lot of value when Splunk is used to enrich IT data with information from another source. An example of such an enrichment could be a cross reference between a customer’s username found in an application log and that same customer’s information extracted from a contact management system. How amazing would it be to have a customer service representative make a phone call to Mr. Smith to ask if he needed help logging onto their system after a number of failed logins?

Splunk has always been able to do data enrichment, but the newly released Splunk 4 really simplifies the process. In this post, I’ll give a quick examply of using a CSV …
» Continue reading

The Commoditization of the IT Professional (or is there a new Black Art?)

A recent gathering of friends (a group of IT gray-hairs, artists, and lawyers) had got me thinking about IT as a profession, and the development of the industry since I got involved 20 years ago. The question posed to the group was about whether we would recommend our current professions to our children. This query, a few others, and perhaps one Liberty Ale too many had started me down the track of over-analyzing the state of IT today. I suppose I am both proud and terrified at the same time.

First, the goodness. As an industry participant, IT has come a long way. Collectively, we have successfully lobbied to become more than just a cost center. The ‘nerds in the …

» Continue reading

Field Definitions and Splunk’s extract Command

The 3.0 version of Splunk has introduced some wonderful new features such as advanced reporting, granular access control and a slew of additional functions to help you search through your IT data. One of these newly released functions is the extract command. This works very nicely with Splunk’s revamped facility to add, view, and access field names. Here is a quick primer on creating field definitions and using the extract command to have those definitions reloaded automatically.

Splunk has always done a great job at allowing you to search on any text from any data source. Splunk even goes one step beyond this and automatically defines named fields data that shows up in a Keyword = Value (KV) pair. If …

» Continue reading